LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Security

Find SQL injection vulnerabilities with sqlmap

By Jake Edge
September 3, 2008

SQL injections are a particularly nasty type of web application vulnerability that can lead to loss or disclosure of the contents of a database. Testing a web application to find SQL injection holes can be a tedious process, which is where the sqlmap tool may come in handy. sqlmap automates the process of testing a particular web page for various kinds of SQL injection flaws.

Sqlmap is a command-line driven Python application that can help in both finding and exploiting SQL injections. By giving it a URL and parameter names of interest (from HTML forms or GET parameters), it tries to determine which of those parameters cause different output based on their value, indicating that they control the dynamic behavior of the application. Those parameters are then tested by repeatedly making an HTTP request with slightly different values. Each of the values passed corresponds to a SQL injection technique, such as appending a single-quote. Based on whether the HTML response is different from the original response, the potential for a SQL injection can be inferred.

The tool also tests an often overlooked input source: cookies. The user can specify a cookie value which the tool will then manipulate to attempt a SQL injection via the cookie. Since many applications store their session information in a database using the cookie value as a key, this is a relatively common route to SQL injection—one that penetration tests sometimes miss.

While it does help remove some of the tedium involved in testing for SQL injections, sqlmap is by no means an automated solution. A fair amount of work is required to find a vulnerable parameter. Once a vulnerability has been found, though, a great deal of information, including database contents, can be retrieved with a single command.

Like many security tools, sqlmap can be used by those of malicious intent rather easily. The automated retrieval of database passwords and contents from a vulnerable application are particularly powerful—thus dangerous. For some database installations, there is even a mode that will get a shell prompt on the server as the user that runs the database application.

Because it is free software, sqlmap is very useful for understanding SQL injections and, perhaps more importantly, what kinds of things an attacker can do by abusing a vulnerable application. There is excellent documentation, both for developers and users. Sqlmap recently released version 0.6 and is certainly worth a look for anyone interested in testing a web application or curious about SQL injection in general.

Comments (1 posted)

New vulnerabilities

ruby: multiple vulnerabilities

Package(s):ruby CVE #(s):CVE-2008-3655 CVE-2008-3656 CVE-2008-3657
Created:September 1, 2008 Updated:December 4, 2008
Description:

From the CVE entries:

CVE-2008-3655: Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.

CVE-2008-3656: Algorithmic complexity vulnerability in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted HTTP request that is processed by a backtracking regular expression.

CVE-2008-3657: The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.

Alerts:
rPath rPSA-2008-0264-1 2008-08-31
Fedora FEDORA-2008-8738 2008-10-09
Fedora FEDORA-2008-8736 2008-10-09
Ubuntu USN-651-1 2008-10-10
Debian DSA-1651-1 2008-10-12
Debian DSA-1652-1 2008-10-12
Red Hat RHSA-2008:0895-02 2008-10-21
Red Hat RHSA-2008:0896-01 2008-10-21
Red Hat RHSA-2008:0897-01 2008-10-21
CentOS CESA-2008:0896 2008-10-21
CentOS CESA-2008:0897 2008-10-24
Mandriva MDVSA-2008:226 2008-11-06
Red Hat RHSA-2008:0981-02 2008-12-04

Comments (none posted)

slash: SQL injection, cross-site scripting

Package(s):slash CVE #(s):CVE-2008-2231 CVE-2008-2553
Created:September 2, 2008 Updated:September 3, 2008
Description: From the Debian alert: It has been discovered that Slash, the Slashdot Like Automated Storytelling Homepage suffers from two vulnerabilities related to insufficient input sanitation, leading to execution of SQL commands (CVE-2008-2231) and cross-site scripting (CVE-2008-2553).
Alerts:
Debian DSA-1633-1 2008-09-01

Comments (none posted)

wordnet: stack and heap overflows

Package(s):wordnet CVE #(s):CVE-2008-2149
Created:September 2, 2008 Updated:October 7, 2008
Description: From the Debian alert: Rob Holland discovered several programming errors in WordNet, an electronic lexical database of the English language. These flaws could allow arbitrary code execution when used with untrusted input, for example when WordNet is in use as a back end for a web application.
Alerts:
Debian DSA-1634-1 2008-09-01
Mandriva MDVSA-2008:182 2008-09-02
Mandriva MDVSA-2008:182-1 2008-09-15
Debian DSA-1634-2 2008-09-20
Gentoo 200810-01 2008-10-07

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds